Why I’ve started using NoScript

Edit: I’ve up­dated some­what based on Said’s com­ment be­low, to think that NoScript is not a tool for ev­ery­one. I haven’t de­cided to stop us­ing it, but I have de­cided to stop strongly recom­mend­ing that oth­ers use it. I es­pe­cially urge you to read about the other ex­ten­sions he lists at the end of his com­ment.

Edit 2: It’s also been pointed out to me that uBlock Ori­gin also has ca­pa­bil­ities for block­ing 3rd party JavaScript, and might be even bet­ter at it than NoScript; in line with the idea that this is not for ev­ery­one, this func­tion­al­ity re­quires the user to ex­plic­itly claim to be an “ad­vanced user” and read var­i­ous doc­u­men­ta­tion first. You may also be in­ter­ested in read­ing the dis­cus­sion for this post on lob­ste.rs

NoScript is a browser ex­ten­sion[1] that pre­vents your browser from load­ing and run­ning JavaScript with­out your per­mis­sion. I re­cently started us­ing it, and I highly recom­mend it.

I had first tried us­ing NoScript around a decade ago. At the time it seemed like too much of a has­sle. I ended up want­ing to en­able al­most all the scripts that were in­cluded, and this was some­what an­noy­ing to do. Things have changed a lot since then.

For one, NoScript’s user in­ter­face has be­come much bet­ter: Now, if a page isn’t work­ing right, you sim­ply click the NoScript icon and whitelist any do­mains you trust, or tem­porar­ily whitelist any do­mains you trust less. You can set it to au­to­mat­i­cally whitelist do­mains you di­rectly visit (thereby only block­ing third-party scripts).

A more press­ing change is that I’m now much less com­fortable let­ting ar­bi­trary third par­ties run code on my com­puter. I used to be­lieve that my browser was fun­da­men­tally ca­pa­ble of keep­ing me safe from the scripts that it ran. Sure, track­ing cook­ies and other tricks al­lowed web sites to cor­re­late data about me, but I thought that my browser could, at least in prin­ci­ple, pre­vent scripts from read­ing ar­bi­trary data on my com­puter. With the ad­vent of CPU-ar­chi­tec­ture-based side chan­nel at­tacks (Melt­down and Spec­tre are the most pub­li­cized, but it seems like new ones come out ev­ery month or so), this be­lief now seems quite naïve.

Fi­nally, in that decade, third-party scripts for track­ing and ads have be­come al­most liter­ally ubiquitous on the web. Just about ev­ery web site I visit, I’ve dis­cov­ered, has at least a cou­ple of third-party de­pen­den­cies, whose prove­nance I don’t trust, and which I’d rather not spend (even a minus­cule pro­por­tion of) my en­ergy bill on. Even dis­re­gard­ing the new hard­ware vuln­er­a­bil­ities, I don’t think ar­bi­trary third party track­ers ought to be trusted to run in your browser[2]; if even one of the hun­dreds of track­ing scripts is com­pro­mised, this could eas­ily leak your pass­words or other data to at­tack­ers.

An added benefit has been that NoScript works bet­ter than my ad blocker. Around the time I started us­ing NoScript, I was watch­ing a show on a stream­ing site I don’t nor­mally visit, that shall re­main name­less. This site is ex­tremely an­noy­ing. It plays more ads per minute than con­tent, some­how evad­ing uBlock Ori­gin, and of­ten the ads seem to break the ac­tual video player so that the show stops part­way through. After in­stal­ling NoScript, I spent about 3 min­utes wad­ing through the ~50 script sources, en­abling not-ads un­til even­tu­ally the video played. I was thrilled to see that the video played perfectly, with no in­ter­rup­tions.

In sum­mary, just go try it. You might not like it, but at least then you’ll know.

Speak­ing as some­one who both builds web­sites, and also has very strong ob­jec­tions to ads, track­ing, web­site bloat, and all the other mal­adies and af­flic­tions of the mod­ern web, I have to say that… us­ing NoScript is not a good sug­ges­tion.

There are sev­eral rea­sons; some are en­tirely self­ish, and some have to do with how your ac­tions af­fect wider trends. I’ll list what I think are the ma­jor rea­sons.

First, though, let me say that I en­tirely agree with you when you say “I don’t think ar­bi­trary third party track­ers ought to be trusted to run in your browser”. I’ll go fur­ther, and say that I have no obli­ga­tion to view ads, to be tracked, to view mes­sages about how ads are nec­es­sary for a web­site’s rev­enue and con­tinued sur­vival, to view mes­sages about cook­ies or other GDPR-re­lated non­sense, to click on pop­ups about those mes­sages, to view or click on pop­ups ask­ing me to reg­ister an ac­count with a web­site, etc., etc., etc. It’s my com­puter, and I have the ab­solute right (as­sum­ing I am break­ing no laws) to view con­tent thereon in what­ever way I wish.

And I still don’t think NoScript is a good call. Here’s why.

It breaks web­sites in ways that may not be ob­vi­ous.

It is, in some sense, the less bad sce­nario if you visit a site and it’s just ob­vi­ously hor­ribly bro­ken; you click that NoScript icon, whitelist the site, and voilà—you’re good to go. But what if a site seems to be fine? It might not oc­cur to you to en­able NoScript… but you’ll be miss­ing po­ten­tially quite im­por­tant site fea­tures. If you get used to brows­ing with NoScript, you might not even think to turn off the ex­ten­sion for a web­site… and be de­prived of work the site de­signer has put in to make the web­site us­able and use­ful.

The per­verse irony of this is that it means that us­ing NoScript will most re­li­ably dam­age your user ex­pe­rience of pre­cisely those web­sites that use JavaScript re­spon­si­bly. For a sim­ple ex­am­ple, take the web­site which I am, right now, us­ing to type this com­ment: GreaterWrong. If you turn off JavaScript, you can still view posts and com­ments, and in fact the site will at first glance look just fine (this is by de­sign; we want to sup­port those users who, due to limi­ta­tions of hard­ware and soft­ware, can­not run the JS we use). But you will not have any of the us­abil­ity en­hance­ments GreaterWrong offers—chang­ing the text size, ad­just­ing the ap­pear­ance (themes & theme tweaker) and the con­tent width, key­board-based nav­i­ga­tion fea­tures, etc.

This is, of course, di­rectly a prob­lem for you, as an in­di­vi­d­ual, but it gets worse due to gen­eral user-pop­u­la­tion trends. Wide­spread use of NoScript among those who care about is­sues re­lated to web bloat (and re­lated is­sues) would (and, I strongly sus­pect, already is) weaken or even largely re­move the pres­sure on web de­sign­ers to min­i­mize at least the most egre­gious of such anti-pat­terns. If I know that weigh­ing down my site with a bunch of JavaScript means that many users will sim­ply leave the site and never come back, I will put effort into op­ti­miza­tion. But if I know that any­one who cares about perfor­mance will in any case have NoScript in­stalled, then why not add frame­work af­ter frame­work and tracker af­ter tracker?

Note that I am not say­ing “and there­fore you must suffer the bur­den of web­sites filled with mal­i­cious and bloated JavaScript… For The Com­mon Good™”! Rather, I am say­ing that the right way to fight these un­de­sir­able trends is not NoScript, but rather some­thing else (see be­low).

It is a blunt in­stru­ment, and that leads to se­cu­rity lapses.

If you find that a web­site doesn’t work with NoScript en­abled, you can, in­deed, la­bo­ri­ously whitelist one do­main at a time, af­ter man­u­ally check­ing the prove­nance of each one, un­til the site be­gins to work. But, for one thing, most peo­ple will not do this; they will be less care­ful, and will whitelist what­ever it takes to make a site work. And even if you do care­fully and man­u­ally whitelist ev­ery script do­main one by one, you will in­evitably let in some “naughty” scripts by mis­take. Either way, se­cu­rity lapses will re­sult.

Much more com­pre­hen­sive pro­tec­tion than NoScript (to­gether, these add-ons will also block track­ing pix­els, cook­ies, cen­trally dis­tributed CSS or images or other as­sets that could track you, etc.)

To add to what I say in the par­ent com­ment, I want to com­ment a bit more about the se­cu­rity is­sue. From the OP:

… if a page isn’t work­ing right, you sim­ply click the NoScript icon and whitelist any do­mains you trust, or tem­porar­ily whitelist any do­mains you trust less.

But how the heck do I know what do­mains I trust? This se­cu­rity model re­quires me to know, and think, about what do­mains are “trust­wor­thy” and what ones are not… in the face of con­stant, highly lu­cra­tive (and there­fore highly in­cen­tivized) efforts at de­cep­tion and treach­ery on the part of the ad-tech com­pa­nies (and other bad ac­tors)!

Which of the fol­low­ing is a bet­ter ap­proach to se­cu­rity:

Per­son­ally un­der­take to de­cide which ex­ter­nal scripts and as­sets come from “trust­wor­thy do­mains” (and are there­fore safe… pre­sum­ably?), for ev­ery web­site I visit which im­ple­ments some po­ten­tially de­sir­able JavaScript func­tion­al­ity which I would want to en­able.

I also sug­gest Fire­fox Reader View (or Just Read for Chrome). Th­ese will ren­der only the main ar­ti­cle on a page, strip­ping away all the ex­tra junk. Many com­mer­cial sites have click­bait ar­ti­cles, au­to­play videos, and other non­sense alongside the main ar­ti­cle on a page. Ad Block­ers and se­cu­rity add-ons will leave all this dis­tract­ing noise alone. Reader View ren­ders pre­cisely what you want to see (usu­ally).

But like NoScript, Reader View is a blunt in­stru­ment and will throw out use­ful site fea­tures. I only en­able it in the rare case where there’s a worth­while ar­ti­cle on a crappy site.

This is a great re­sponse and I’m glad to have read it. How­ever I think you miss one im­por­tant dis­ad­van­tage of your ap­proach: Th­ese al­ter­na­tives are mostly black­lists, and so they be­come less use­ful as you get fur­ther into the less-traf­ficked cor­ners of the web, which is also where you’re most likely to hit, e.g., in­visi­ble com­pro­mised re­sources.

I’ve also been sur­prised at how lit­tle “whitelist fa­tigue” I’ve got­ten. I would have naively ex­pected to get tired of whitelist­ing do­mains, but in prac­tice it’s con­tinued to feel free­ing rather than ob­nox­iously at­ten­tion con­sum­ing, and site func­tion­al­ity is al­most always easy /​ ob­vi­ous to en­able prop­erly. It’s pos­si­ble that some­times I miss in­tended func­tion­al­ity, but I doubt that this comes close to out­weigh­ing the benefits.

Edit: the fol­low­ing para­graph mi­s­un­der­stands Said’s com­ment and doesn’t ad­dress the point that it was meant to; apolo­gies.

Fi­nally, I don’t buy the ar­gu­ment about in­cen­tiviz­ing web au­thors. If track­ers work less well, there is ob­vi­ously less in­cen­tive to use them. If the only thing hold­ing back au­thors from adding track­ers willy-nilly is user an­noy­ance at page bloat, then it’s clearly not enough, and so tel­ling peo­ple to just go on shoulder­ing that an­noy­ance to en­sure that the an­noy­ance is min­i­mized seems like priv­ileg­ing sec­ond-or­der effects that I would ex­pect to be small.

tel­ling peo­ple to just go on shoulder­ing that an­noy­ance to en­sure that the an­noy­ance is minimized

With re­spect, please re-read my com­ment, be­cause not only did I not say any­thing like this, I speci­fi­cally pointed out that I am not say­ing any­thing like it!

Fur­ther­more, the ar­gu­ment from in­cen­tives was not speci­fi­cally (or even mostly) about track­ers; it was about bloat in web­site de­sign /​ fea­tures. Frankly, it does not seem to me like you have given due con­sid­er­a­tion to what I wrote in that sec­tion of my com­ment…

How­ever I think you miss one im­por­tant dis­ad­van­tage of your ap­proach: Th­ese al­ter­na­tives are mostly black­lists, and so they be­come less use­ful as you get fur­ther into the less-traf­ficked cor­ners of the web, which is also where you’re most likely to hit, e.g., in­visi­ble com­pro­mised re­sources.

This is an in­ter­est­ing coun­ter­point, cer­tainly. I am cu­ri­ous to what ex­tent this is true in prac­tice, and whether you make this claim on the ba­sis of ex­pe­rience, or sup­po­si­tion; do you have ex­am­ples?

I dis­agree with your ar­gu­ment. NoScript is an ex­cel­lent tool and I use it on my per­sonal browsers in ad­di­tion to uBlock Ori­gin.

Yes, it dis­ables JavaScript and some­times can break web­pages. In those cases I’ll check my con­sole and be­gin en­abling JavaScript on the host page and any ob­vi­ous CDNs it may be us­ing. If af­ter a cou­ple of at­tempts the page still won’t dis­play con­tent, I’ll usu­ally just leave the site as it’s not worth it.

On pages that ac­tu­ally do re­quire JavaScript for dis­play (simu­la­tions, vi­su­al­iza­tions, etc), I’ll let it run.

I’m cu­ri­ous as to why you think dis­abling JavaScript is some­thing to avoid. It’s ex­e­cut­ing code, con­sum­ing power and oc­cu­py­ing my CPU and RAM, of­ten for no other pur­pose other than re­port­ing my be­hav­ior back to some third party host. Why would I want to al­low that?

Yes, it dis­ables JavaScript and some­times can break web­pages. In those cases I’ll check my con­sole and be­gin en­abling JavaScript on the host page and any ob­vi­ous CDNs it may be us­ing. If af­ter a cou­ple of at­tempts the page still won’t dis­play con­tent, I’ll usu­ally just leave the site as it’s not worth it.

Over half of my com­ment, by word count, is ded­i­cated to ad­dress­ing, and de­con­struct­ing, speci­fi­cally this ar­gu­ment, and ex­plain­ing both of the prob­lems with it. Mean­ing no offense, but I am hav­ing a hard time be­liev­ing that you read what I wrote; it rather seems like you in­stead skimmed my com­ment, pat­tern-matched to sim­plis­tic ar­gu­ments you’ve read el­se­where, and re­sponded to that straw ver­sion. I can’t re­ally say any­thing in re­sponse with­out re­hash­ing ex­actly what I wrote, be­cause what I wrote is already a re­but­tal of your points!

May I re­spect­fully ask that you re-read my com­ment? If you still do not think that your ar­gu­ments are ad­dressed, then I sup­pose I have noth­ing fur­ther to say.

I’m cu­ri­ous as to why you think dis­abling JavaScript is some­thing to avoid.

I ex­plained this in my com­ment. See above.

It’s ex­e­cut­ing code, con­sum­ing power and oc­cu­py­ing my CPU and RAM, of­ten for no other pur­pose other than re­port­ing my be­hav­ior back to some third party host. Why would I want to al­low that?

Once again, the spe­cific JavaScript that is run­ning “for no other pur­pose other than re­port­ing my be­hav­ior back to some third party host” is, in­deed, that which you ab­solutely should be block­ing. I ex­plained that in my com­ment, as well, and I gave a de­tailed ex­pla­na­tion of how to do pre­cisely that.

Just about ev­ery web site I visit, I’ve dis­cov­ered, has at least a cou­ple of third-party de­pen­den­cies, whose prove­nance I don’t trust, and which I’d rather not spend (even a minus­cule pro­por­tion of) my en­ergy bill on.

A much big­ger win the the same vein is your mo­bile data bill! I’ve been us­ing Brave on An­droid with JS off by de­fault and ad­block­ing and my month-to-month data us­age has fallen pre­cip­i­tously. (One can also use Fire­fox mo­bile with var­i­ous add-ons to achieve the same effect, ob­vi­ously)

Tan­gent to the gen­eral dis­cus­sion here I would be in­ter­ested in hear­ing other’s opinions on a view I hold re­gard­ing the en­tire state of af­fair with on­line mar­ket­ing tech­niques around track­ing (both in terms of URL and ge­olo­ca­tion).

I try to think about what we would do if mar­ket­ing fol­lowed the same ap­proach in the real world as in the vir­tual world (as­sume the costs were near zero). I would think most peo­ple would con­sider the real world ac­tions to be a form of stalk­ing and con­sid­ered ille­gal.

It feels like it de­pends a bit on how you frame it. A lot of ses­sion track­ing is ba­si­cally equiv­a­lent to a store-clerk pay­ing at­ten­tion to what you do in their store, which is pretty com­mon prac­tice. Can you say more about what spe­cific kinds of track­ing feel un­eth­i­cal to you? (I can see some other things that are more cross-site track­ing that feel worse to me, but not nec­es­sar­ily that much worse than be­ing watched by a se­cu­rity guard in a mall)

I think it de­pends a lot on how you frame it, and analo­gies work much less well than peo­ple ex­pect be­cause of ways the In­ter­net is very differ­ent from pre­vi­ous en­vi­ron­ments.

The in­tu­itive so­cial norms sur­round­ing the store clerk in­volve the clerk hav­ing so­cially nor­mal mem­ory perfor­mance and a so­cial con­science sur­round­ing how they use that mem­ory. What if the store clerk were writ­ing down ev­ery­thing you did in the store, in­clud­ing ev­ery time you picked your nose, your ex­act walk­ing path, ev­ery sin­gle item you looked at and put back, and what you were mut­ter­ing to your shop­ping com­pan­ion? What if that list were quickly sent off to an office across the coun­try, where they would try to figure out any num­ber of things like “which peo­ple look sus­pi­cious” and “where to dis­play which items”? What if the clerk fol­lowed you around the en­tire store with their notepad when it’s a gi­ant box store with many de­part­ments? For the cross-site case, imag­ine that the office also re­ceives de­tailed notes about you from the clerks at just about ev­ery other place you go, be­cause those ones wound up with more prof­itable store lay­outs and lower theft rates and the other shops grad­u­ally went out of busi­ness.

There are other anal­ogy fram­ings still; con­sider one with se­cu­rity cam­eras in­stead, and whether it feels differ­ent, and what differ­ent as­sump­tions might be in play. But in all of those cases, rely­ing on mis­placed as­sump­tions about hu­man­like ca­pa­bil­ity, mo­ti­va­tion, and agency is to be wary of. (For­tu­nately, I think a lot of peo­ple here should be fa­mil­iar with that one!)

Yeah, I share the sense that sim­ply rea­son­ing from anal­ogy is not su­per use­ful here, which is why I dis­agreed a bit with the top-level ar­gu­ment which said that by anal­ogy to ex­ist­ing mar­ket­ing prac­tices, we should con­sider track­ing ob­vi­ously equiv­a­lent to stalk­ing, which felt rel­a­tively weak to me (though I do ac­tu­ally think there are a bunch of quite se­ri­ous prob­lems with track­ers of var­i­ous forms).

I agree, there is a lot that hap­pens in real in­ter­ac­tions that is similar but seems much differ­ent.

First, the store clerk is limited largely to that store. The vir­tual world and big data is about tak­ing all my other ac­tivi­ties and then us­ing that to guide how the clerk en­gages me in that one store. The par­allel there would be hav­ing that clerk fol­low me around all day doc­u­ment­ing ev­ery­thing I do, buy, look at....

I have more con­trol over what in­for­ma­tion I provide the clerk. Clearly that per­son will know my sex/​gen­der, ap­prox­i­mate age and other phys­i­cal traits. If they are re­ally at­ten­tive, and able to see, they might know what type of car I drive and would be able to guess at so­cioe­co­nomic sta­tus based on dress, speech and man­ner/​de­meanor. They will gen­er­ally not know my name, ad­dress or ap­prox­i­mate lo­ca­tion, my travel habits, where I might work or my larger so­cial cir­cle.

Much of the in­for­ma­tion now col­lected is some­thing I have no con­trol over. For the clerk I can do any num­ber of things to con­trol what in­for­ma­tion I share. This is not the case in the vir­tual world. So, that gets me back to the “If some­one did this in the real world....”

It’s not that I’m say­ing ev­ery­thing should be taken as stalk­ing but rather it should be con­sid­ered more care­fully. I’ve just never re­ally seen the is­sue framed as how would this look if done in the “old fash­ioned” shop­ping/​com­mer­cial in­ter­ac­tion set­ting. Would that change any­thing?